Bugtraq mailing list archives

Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016

From: Cisco Systems Product Security Incident Response Team <psirt () cisco com>
Date: Wed, 2 Mar 2016 21:07:39 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016

Advisory ID: cisco-sa-20160302-openssl

Version 1.0: Interim

For Public Release: 2016 March 2 19:30  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======
On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a 
new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. A total of eight 
Common Vulnerabilities and Exposures (CVEs) were assigned. Of the eight CVEs, three relate to the DROWN attack. The 
remaining CVEs track low severity vulnerabilities.

DROWN is a cross-protocol attack that actively exploits weaknesses in SSL version 2 (SSLv2) to decrypt passively 
collected Transport Layer Security (TLS) sessions. DROWN does not exploit a vulnerability in the TLS protocol or any 
specific implementation of the protocol.

To execute a successful DROWN attack, the attacker must identify a server that supports both SSLv2 and TLS, and uses 
the same RSA key pair for both protocols. The attacker must also be able to collect TLS traffic for the server.

This advisory will be updated as additional information becomes available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJW10S9AAoJEK89gD3EAJB5NdkQAMtgK0CXafb5RAErJk8tL7gh
ssAHSfxqIaa5/LtPKgUZokFGT+lr/QDsjy7dWzYXPOux/sPENgIQZlqwMfUEEw3w
BHIx1H1KhJ4BFKAZTOMUjUmSQJv8rPfllekb87e4sK5+wk9JHO2azJoJ/YQlryBc
b+DdHaltS+bptQ9uai63IVWz8ATDMtdCC7ZeA5lKcx184kVsbScawP46KQCHJwij
IJZ0oCM9B6nagDMH75a53u7YIWz7ugs1CQgUSOoUOwdmgzNWEdohJ4uQL5epwHmY
BDf1pZUMjemZyiP62aXQZnta6vCF0VLC2lrrWx2bfFOHfLQ5cv5ZcAS2CruzN0Y3
ox88g8xQSJkUYggqtzWsD7zuJYN30D59dsfWBxbAjEpK/bjcQnHX9+3oeRuyljBi
L//EVLliYDTCnr/9+u2zCg42H5gsodEGscQZAoHLXvhDTV48/CaimpcISRyudTt8
8bIwgCvB35MbEcH2IIpzbIRjvmIt98CbxQGD5e1FGkBm1lmKqAoP77+h22IdAKh4
8YxN/W7qe0P1mVSfJVu5HYu44ZKKwhxd5ExT7NGCugJdEEB5DobXrsyu0jxR6gdq
VCR+Tw2Xbk+Xuf+lL3cfUaMz+V2Bvqb1zVJpTp3i6ix3qy/Hwssp/bJctM4Cetka
QNJPOHwNdCLuGkSqItKJ
=cvrZ
-----END PGP SIGNATURE-----

Current thread:

Cisco Security Advisory: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016 Cisco Systems Product Security Incident Response Team (Mar 02)